All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Device Cryptographic Module

Certificate#5056StandardFIPS 140-3Level2TypeHardwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorF5, Inc.
Low review priority  ·  no TCB surface named  ·  last validated 10 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeHardware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date9/1/2030
CaveatWhen operated in approved mode; When tamper evident labels contained in F5-ADD-BIG-FIPS140 kit and installed as indicated in the Security Policy section 7; No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs
VendorF5, Inc.

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Device Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>status output</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Device Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>status output</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

F5, Inc. Device Cryptographic Module Last update: August 2025 Prepared by: atsec information security corporation

4516 Seton Center Parkway, Suite 250

Austin, TX 78759 www.atsec.com

Page 2
Table of Contents
#SectionPage
Page 4
List of Tables
ItemPage
Table 1: Security Levels6
Table 2: Tested Module Identification – Hardware11
Table 3: Modes List and Description11
Table 4: Approved Algorithms14
Table 5: Vendor-Affirmed Algorithms14
Table 6: Non-Approved, Not Allowed Algorithms15
Table 7: Security Function Implementations18
Table 8: Entropy Certificates19
Table 9: Entropy Sources19
Table 10: Ports and Interfaces21
Table 11: Authentication Methods23
Table 12: Roles25
Table 13: Approved Services55
Table 14: Non-Approved Services56
Table 15: Mechanisms and Actions Required60
Table 16: Storage Areas67
Table 17: SSP Input-Output Methods67
Table 18: SSP Zeroization Methods68
Table 19: SSP Table 172
Table 20: SSP Table 275
Table 21: Pre-Operational Self-Tests76
Table 22: Conditional Self-Tests80
Table 23: Pre-Operational Periodic Information80
Table 24: Conditional Periodic Information82
Table 25: Error States83
Figure 1: Block Diagram7
Figure 2 - BIG-IP i4600 and BIG-IP i48008
Figure 3 - BIG-IP i5600, BIG-IP i5800 and BIG-IP i5820-DF8
Figure 4 – BIG-IP i7600, BIG-IP i7800 and BIG-IP i7820-DF8
Figure 5 - BIG-IP i10600, BIG-IP i10800 and BIG-IP i11600-DS, BIG-IP i11800-DS8
Figure 6 – BIG-IP i15600, BIG-IP i15800, BIG-IP i15820-DF8
Figure 7 - B2250 blade mounted in VIPRION chassis C24009
Figure 8 - B4450 blade mounted in VIPRION chassis C44809
Figure 9 - Tamper labels on BIG-IP i4600 and BIG-IP i480061
Figure 10 – Tamper labels on BIG-IP i5600, BIG-IP i5800 and BIG-IP i5820-DF61
Figure 11 – Tamper labels on BIG-IP i7600, BIG-IP i7800 and BIG-IP i7820-DF.62
DS.62
Figure 13 – Tamper labels on BIG-IP i15600, BIG-IP i15800, and BIG-IP i15820-DF.63
Figure 14 – Tamper labels on chassis with VIPRION B2250 blade63
Figure 15 – Tamper labels on chassis with VIPRION B4450 blade64
Page 5

F5®, BIG-IP®, TMOS® are Registered trademarks of F5, Inc. Intel® Xeon® and Intel® Atom® processors are Registered trademarks of Intel Corporation. © 2025 F5, Inc.

Page 6
1 General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy that contains the security rules under which the Device Cryptographic Module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an Overall Security Level 2 module.

1.2 Security Levels

Section Title Security Level

1 General 2

2 Cryptographic module specification 2

3 Cryptographic module interfaces 2

4 Roles, services, and authentication 2

5 Software/Firmware security 2

6 Operational environment N/A

7 Physical security 2

8 Non-invasive security N/A

9 Sensitive security parameter management 2

10 Self-tests 2

11 Life-cycle assurance 2

12 Mitigation of other attacks N/A

Overall Level 2 Table 1: Security Levels © 2025 F5, Inc.

Page 7
2 Cryptographic Module Specification
2.1 Description

The Device Cryptographic Module (hereafter referred to as “the module”) is a smart evolution of F5’s market leading Application Delivery Controller (ADC) technology. Solutions built on this platform are load balancers. They are full proxies that give visibility into, and the power to control—inspect and encrypt or decrypt—all the traffic that passes through your network. Purpose and Use: Underlying BIG-IP/ VIPRION hardware and software are F5’s proprietary operating system, Traffic Management Operating System (TMOS), which provides unified intelligence, flexibility, and programmability. With its application control plane architecture, TMOS is a highly optimized system providing control over the acceleration, security, and availability services your applications require. TMOS establishes a virtual, unified pool of highly scalable, resilient, and reusable services that can dynamically adapt to the changing conditions in data centers and virtual and cloud infrastructures. In the following documentation TMOS and BIG-IP are interchangeably used where system and feature modules are concerned. The Control (or Management) Plane refers to the connection from an administrator to the BIG-IP for system management. The Data Plane refers to the traffic passed between external entities and internal servers. Module Type: Hardware Module Embodiment: MultiChipStand Cryptographic Boundary: The cryptographic boundary of the module is defined by the exterior surface of the appliance (red dotted line in Figure 1). The block diagram below shows the module, its interfaces with the operational environment and the delimitation of its cryptographic boundary. Figure 1 also depicts the flow of status output (SO), control input (CI), data input (DI) and data output (DO). Description of the ports and interfaces can be found in Table- Ports and Interfaces. Figure 1: Block Diagram © 2025 F5, Inc.

Page 8

Tested Operational Environment’s Physical Perimeter (TOEPP): N/ A for hardware module. Diagram, Photograph: Figure 2 - BIG-IP i4600 and BIG-IP i4800 Figure 3 - BIG-IP i5600, BIG-IP i5800 and BIG-IP i5820-DF Figure 4

Page 9

Figure 7 - B2250 blade mounted in VIPRION chassis C2400 Figure 8 - B4450 blade mounted in VIPRION chassis C4480

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 10

Model Hardware Firmware Processors Features and/or Version Version Part Number i5800 BIG- i5800 17.1.01 Intel® Xeon® 1 x USB port; 8 x 10GbE; 4 x IP iseries E5-1630v4, 40GbE network ports; 1 x Broadwell Console port; 1 x 1GbE management port i5820-DF i5820-DF 17.1.01 Intel® Xeon® 1 x USB port; 8 x 10GbE; 4 x BIG-IP E5-1630v4, 40GbE network ports; 1 x iseries Broadwell Console port; 1 x 1GbE management port i7600 BIG- i7600 17.1.01 Intel® Xeon® 1 x USB port; 8 x 10GbE and 4 IP iseries E5-1650v4, x 40GbE network ports; 1 x Broadwel Console port; 1 x 10/100/1000BaseT management port i7800 BIG- i7800 17.1.01 Intel® Xeon® 1 x USB port; 8 x 10GbE and 4 IP iseries E5-1650v4, x 40GbE network ports; 1 x Broadwel Console port; 1 x 10/100/1000BaseT management port i7820-DF i7820-DF 17.1.01 Intel® Xeon® 1 x USB port; 8 x 10GbE and 4 BIG-IP E5-1650v4, x 40GbE network ports; 1 x iseries Broadwel Console port; 1 x 10/100/1000BaseT management port i10600 i10600 17.1.01 Intel® Xeon® 1 x USB port; 8 x 10GbE; 6 x BIG-IP E5-1660v4, 40GbE network ports; 1 x iseries Broadwell Console port; 1 x 1GbE management port i10800 i10800 17.1.01 Intel® Xeon® 1 x USB port; 8 x 10GbE; 6 x BIG-IP E5-1660v4, 40GbE network ports; 1 x iseries Broadwell Console port; 1 x 1GbE management port i11600-DS i11600-DS 17.1.01 Intel® Xeon® 1 x USB port; 8 x 10GbE; 6 x BIG-IP E5-2695v4, 40GbE network ports; 1 x iseries Broadwell Console port; 1 x 1GbE (10/100/1000 capable) management port i11800-DS i11800-DS 17.1.01 Intel® Xeon® 1 x USB port; 8 x 10GbE; 6 x BIG-IP E5-2695v4, 40GbE network ports; 1 x iseries Broadwell Console port; 1 x 1GbE (10/100/1000 capable) management port i15600 BIG-IP 17.1.01 Intel® Xeon® 1 x USB port; 8 x 40GbE; 4 x BIG-IP iseries E5-2680v4, 100GbE network ports; 1 x iseries i15600 Broadwell Console port; 1 x 1GbE management port i15800 i15800 17.1.01 Intel® Xeon® 1 x USB port; 8 x 40GbE; 4 x BIG-IP E5-2680v4, 100GbE network ports; 1 x iseries Broadwell © 2025 F5, Inc.

Page 11

Model Hardware Firmware Processors Features and/or Version Version Part Number Console port; 1 x 1GbE management port i15820-DF i15820-DF 17.1.01 Intel® Xeon® 1 x USB port; 8 x 40GbE; 4 x BIG-IP E5-2680v4, 100GbE network ports; 1 x iseries Broadwell Console port; 1 x 1GbE management port B2250 VIPRION 17.1.01 Intel® Xeon® 2 x USB port; 4 x 40 GbE C2400 E5-2658v2, Ivy network ports; 1 x Console Bridge port; 1 x GbE management port B4450 VIPRION 17.1.01 Intel® Xeon® 1 x USB port; 6 x 40 GbE; 2 x C4480 E5-2658v3, 100 GbE network ports; 1 x Haswell Console port; 1 x GbE (10/100/1000 Ethernet) management port Table 2: Tested Module Identification

2.3 Excluded Components
2.4 Modes of Operation

Modes List and Description: Mode Description Type Status Indicator Name Approved Automatically entered Approved Equivalent to the indicator of mode whenever an approved the requested service as service is requested defined in section 4.3 Non- Only non-approved security Non- Equivalent to the indicator of Approved functions can be used Approved the requested service as mode defined in section 4.3 Table 3: Modes List and Description The module enters the Approved Mode after the pre-operational self-tests and conditional algorithms self-tests (CASTs) have completed successfully. Mode Change Instructions and Status: The module enters the approved mode after pre-operational self-tests succeed. The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested.

2.5 Algorithms
Page 12

Algorithm CAVP Properties Reference Cert AES-CBC A3697 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A3698 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 256 AES-CCM A3697 Key Length - 128, 192, 256 SP 800-38C AES-CCM A3698 Key Length - 128, 256 SP 800-38C AES-CTR A3697 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A3697 Direction - Decrypt, Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A3698 Direction - Decrypt, Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 256 Counter DRBG A3697 Prediction Resistance - No, Yes SP 800-90A Mode - AES-256 Rev. 1 Derivation Function Enabled - No, Yes Counter DRBG A3698 Prediction Resistance - No SP 800-90A Mode - AES-256 Rev. 1 Derivation Function Enabled - Yes ECDSA KeyGen A3697 Curve - P-256, P-384 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyGen A3698 Curve - P-256, P-384 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyVer A3697 Curve - P-256, P-384 FIPS 186-4 (FIPS186-4) ECDSA KeyVer A3698 Curve - P-256, P-384 FIPS 186-4 (FIPS186-4) ECDSA SigGen A3697 Component - No FIPS 186-4 (FIPS186-4) Curve - P-256, P-384 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 ECDSA SigGen A3698 Component - No FIPS 186-4 (FIPS186-4) Curve - P-256, P-384 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 ECDSA SigVer A3697 Component - No FIPS 186-4 (FIPS186-4) Curve - P-256, P-384 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 ECDSA SigVer A3698 Component - No FIPS 186-4 (FIPS186-4) Curve - P-256, P-384 © 2025 F5, Inc.

Page 13

Algorithm CAVP Properties Reference Cert Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 HMAC-SHA-1 A3697 Key Length - Key Length: 8, 16, 64, 128, FIPS 198-1 1024 HMAC-SHA-1 A3698 Key Length - Key Length: 8, 16, 64, 128, FIPS 198-1 1024 HMAC-SHA2-256 A3697 Key Length - Key Length: 8, 16, 64, 128, FIPS 198-1 1024 HMAC-SHA2-256 A3698 Key Length - Key Length: 8, 16, 64, 128, FIPS 198-1 1024 HMAC-SHA2-384 A3697 Key Length - Key Length: 8, 16, 64, 128, FIPS 198-1 1024 HMAC-SHA2-384 A3698 Key Length - Key Length: 8, 16, 64, 128, FIPS 198-1 1024 KAS-ECC-SSC A3697 Domain Parameter Generation Methods - SP 800-56A Sp800-56Ar3 P-256, P-384 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KAS-ECC-SSC A3698 Domain Parameter Generation Methods - SP 800-56A Sp800-56Ar3 P-256, P-384 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KAS-FFC-SSC A3697 Domain Parameter Generation Methods - SP 800-56A Sp800-56Ar3 ffdhe2048, ffdhe3072, ffdhe4096 Rev. 3 Scheme dhEphem KAS Role - initiator, responder KAS-FFC-SSC A3698 Domain Parameter Generation Methods - SP 800-56A Sp800-56Ar3 ffdhe2048, ffdhe3072, ffdhe4096 Rev. 3 Scheme dhEphem KAS Role - initiator, responder KDF SSH (CVL) A3697 Cipher - AES-128, AES-256 SP 800-135 Hash Algorithm - SHA2-256, SHA2-384 Rev. 1 RSA KeyGen A3697 Key Generation Mode - B.3.3 FIPS 186-4 (FIPS186-4) Modulo - 2048, 4096 Primality Tests - Table C.2 Private Key Format - Standard RSA SigGen A3697 Signature Type - PKCS 1.5 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigGen A3698 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A3697 Signature Type - PKCS 1.5 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 © 2025 F5, Inc.

Page 14

Algorithm CAVP Properties Reference Cert RSA SigVer A3698 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Safe Primes Key A3697 Safe Prime Groups - ffdhe2048, SP 800-56A Generation ffdhe3072, ffdhe4096 Rev. 3 Safe Primes Key A3698 Safe Prime Groups - ffdhe2048, SP 800-56A Generation ffdhe3072, ffdhe4096 Rev. 3 Safe Primes Key A3697 Safe Prime Groups - ffdhe2048, SP 800-56A Verification ffdhe3072, ffdhe4096 Rev. 3 Safe Primes Key A3698 Safe Prime Groups - ffdhe2048, SP 800-56A Verification ffdhe3072, ffdhe4096 Rev. 3 SHA-1 A3697 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

SHA-1 A3698 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

SHA2-256 A3697 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

SHA2-256 A3698 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

SHA2-384 A3697 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

SHA2-384 A3698 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

TLS v1.2 KDF A3697 Hash Algorithm - SHA2-256, SHA2-384 SP 800-135 RFC7627 (CVL) Rev. 1 TLS v1.2 KDF A3698 Hash Algorithm - SHA2-256, SHA2-384 SP 800-135 RFC7627 (CVL) Rev. 1 Table 4: Approved Algorithms Vendor-Affirmed Algorithms: Name Properties Implementation Reference Cryptographic Key N/A Random bit strings required Key Generation Type:Asymmetric for generating the (CKG) cryptographic keys is compliant with [SP 800133Rev2] section 4 example 1 Table 5: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: © 2025 F5, Inc.

Page 15

Name Use and Function HMAC-SHA2-224, HMAC-SHA2-512 Message authentication TLS Triple-DES, Camellia, SEED Symmetric encryption and decryption TLS HMAC-SHA2-256, HMAC-SHA2-512, AES-GCM Message authentication in IPsec/ IKEv2 protocol PKCS #1 v1.5 scheme with modulus other than RSA signature generation and 2048, 3072 or 4096 bits, for all SHA sizes verification PKCS #1 v1.5 and PSS schema with modulus size RSA signature generation 2048, 3072, 4096 bits with SHA-1, SHA2-224, SHA2-512; ANS X9.31 PKCS #1 v1.5 and PSS schema with modulus size RSA signature verification 2048, 3072, 4096 bits with SHA2-224, SHA2-512 ECDSA with curves P-256, P-384 with SHA-1, SHA2- ECDSA signature generation 224, SHA2-512; ECDSA using curves other than P-

256 and P-384, all SHA sizes

ECDSA with curves P-256, P-384 with SHA2-224, ECDSA signature verification SHA2-512; ECDSA using curves other than P-256 and P-384, all SHA sizes RSA with modulus sizes up to 16384 bits RSA encrypt / decrypt DSA with all key and SHA sizes DSA domain parameter generation, domain parameter verification, key pair generation, signature generation and verification Diffie-Hellman using MODP1024, MODP2048 groups Shared secret computation in IPsec/IKE protocol MD5/ SHA-1/ SHA2-224 / SHA2-512 Key Derivation function in the context of TLS KDF EdDSA with Ed25519 EdDSA digital signature SHA-1, AES-ECB, RSA- signature verification SNMP TLS ciphersuites implemented by f5-rest-node TLS used in SSL Orchestrator (SSLO) RSA keypair with 2048, 3072 and 4096 (REST API) iControl representation state transfer (REST) access EC Diffie-Hellman Ephemeral Unified with curves Shared secret computation other than P-256, P-384. EC Diffie-Hellman using onePassDH / StaticUnified schemes. Diffie-Hellman using groups other than ffdhe2048, ffdhe3072, ffdhe4096 Triple-DES, AES-GCM-128, AES-192, AES-256 Symmetric encryption and decryption in IPsec /IKEv2 Table 6: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Name Type Description Properties Algorithms Key KTS-Wrap Key Standard:SP 800- AES-GCM: Wrapping/Unwrapping Wrapping, 38F, FIPS 197 (A3698, © 2025 F5, Inc.

Page 16

Name Type Description Properties Algorithms with authenticated Key Caveat:Key A3697) encryption Unwrapping establishment AES-CCM: methodology (A3698, provides between A3697)

128 and 256 bits

of security strength IG D.G:approved or allowed method Key KTS-Wrap Key Standard:SP 800- AES-CBC: Wrapping/Unwrapping Wrapping, 38F, FIPS 197 (A3697, with encryption and Key Caveat:Key A3698) authentication in TLS Unwrapping establishment HMAC-SHA2in the methodology 256: (A3698, context of provides between A3697) TLS 128, 256 bits of HMAC-SHA2security strength 384: (A3698, IG D.G:approved A3697) or allowed HMAC-SHA-1: method (A3697, A3698) Key KTS-Wrap FIPS 197, SP Standard:SP 800- AES-CTR: Wrapping/Unwrapping 800-38F 38F, FIPS 197 (A3697) with encryption and Caveat:Key AES-CBC: authentication in SSH establishment (A3697) methodology HMAC-SHA-1: provides between (A3697) 128, 256 bits of HMAC-SHA2security strength 256: (A3697) IG D.G:approved or allowed method Key pair generation AsymKeyPair- Generate an ECDSA KeyGen ECDSA, KeyGen CKG ECDH, DH or (FIPS186-4): RSA key pair (A3698, A3697) RSA KeyGen (FIPS186-4): (A3697) Safe Primes Key Generation: (A3698, A3697) Cryptographic Key Generation (CKG): () © 2025 F5, Inc.

Page 17

Name Type Description Properties Algorithms Key pair verification AsymKeyPair- Verify an ECDSA KeyVer ECDSA or KeyVer ECDH or DH (FIPS186-4): key pair (A3698, A3697) Safe Primes Key Verification: (A3698, A3697) Signature generation DigSig- Generate a ECDSA SigGen digital SigGen signature (FIPS186-4): (A3698, A3697) RSA SigGen (FIPS186-4): (A3698, A3697) Signature verification DigSig-SigVer Verify a ECDSA SigVer digital (FIPS186-4): signature (A3698, A3697) RSA SigVer (FIPS186-4): (A3698, A3697) Random Number DRBG Generate Counter Generation in Control random DRBG: Plane bytes (A3698) Random Number DRBG Generate Counter Generation in Data random DRBG: Plane bytes (A3697) Message digest SHA Compute a SHA-1: message (A3698, digest A3697) SHA2-256: (A3698, A3697) SHA2-384: (A3698, A3697) SSH Handshake KAS-Full Key Caveat:Key KAS-ECC-SSC agreement establishment Sp800-56Ar3: methodology (A3697) provides between KDF SSH:

128 and 192 bits (A3697)

of key strength IG D.F:Scenario 2 (path 2) © 2025 F5, Inc.

Page 18

Name Type Description Properties Algorithms Key confirmation:no Key derivation:IG 2.4.B SP 800135rev1 CVL TLS Handshake (ECC) KAS-Full Key Key derivation:IG KAS-ECC-SSC agreement 2.4.B SP 800- Sp800-56Ar3: 135rev1 CVL (A3698, IG D.F:Scenario 2 A3697) (path 2) TLS v1.2 KDF Key RFC7627: confirmation:no (A3698, Caveat:Key A3697) establishment methodology provides between

128 and 192 bits

of security strength TLS Handshake (FFC) KAS-Full Key Prime TLS v1.2 KDF agreement groups:ffdhe2048, RFC7627: ffdhe3072, (A3698, ffdhe4096 A3697) Caveat:Key KAS-FFC-SSC establishment Sp800-56Ar3: methodology (A3698, provides between A3697)

112 to 150-bit

Compliance:IG D.F scenario 2 (path 2) Table 7: Security Function Implementations

2.7 Algorithm Specific Information

AES-GCM: The IV for AES-GCM is constructed in compliance with IG C.H scenario 1a (TLS 1.2). For TLS 1.2, the module offers the AES-GCM implementation and uses the context of Scenario 1a of IG C.H. The module is compliant with SP 800-52r2 section 3.3.1 and the mechanism for IV generation is compliant with RFC5288. The module’s implementation of AES-GCM is compliant to IG C.H option i) where module implements TLS protocol. The design of the TLS protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES-GCM key encryption or decryption under this scenario shall be established. RSA module sizes (IG C.F): All the modulus sizes supported by the module have been ACVP tested for FIPS 186-4 RSA signature verification. SP 800-56Ar3 Assurances: To comply with the assurances found in Section 5.6.2 of SP 800-56Ar3, the keys for KAS-FFC-SSC and KAS-ECC-SSC must be generated using the © 2025 F5, Inc.

Page 19

approved key generation services specified in section 2.9. The module performs full public key validation on the generated public keys. Additionally, the module performs full public key validation on the received public keys. Legacy use (IG C.M): Per SP 800-131r2, the SHA-1 with FIPS 186-4 RSA Digital Signature Verification is used in approved mode (for legacy use). Algorithms designated as “Legacy” can only be used on data that was generated prior to the Legacy Date specified in FIPS 140-

3 IG C.M.

IG C.K: The module includes CAVP certificates using FIPS 186-4 tests done prior to the IG C.K transition date of Feb 5th, 2024, and are mathematically identical to FIPS 186-5 CAVP tests, hence the module claim FIPS 186-5 compliance for these tests.

2.8 RBG and Entropy

Cert Vendor Number Name E74 F5 Table 8: Entropy Certificates Name Type Operational Sample Entropy Conditioning Environment Size per Component Sample CPU Non- OEs listed in Table 256 bits 256 bits SHA-3 vetted Jitter Physical Tested Module conditioning

3.4.0 Identification - component. ACVP

Hardware Cert. A2621 Table 9: Entropy Sources The module employs a Deterministic Random Bit Generator (DRBG) based on [SP 80090Ar1] for the generation of random value used in asymmetric keys, and for providing a RNG service to calling applications. The approved DRBG provided by the module is the CTR_DRBG with AES-256. The output of entropy sources provides 256-bits of entropy to seed and reseed SP 800-90Ar1 DRBG during initialization (seed) and reseeding (reseed). In accordance with FIPS 140-3 IG D.L, the 'Entropy input string', 'seed', 'DRBG internal state (V and key values)' are considered CSPs by the module. No non-DRBG functions or instances are able to access the DRBG internal state.

2.9 Key Generation

The module implements RSA, ECDSA, EC Diffie-Hellman and Diffie-Hellman asymmetric key generation services compliant with [FIPS186-5], using a [SP 800-90Ar1] DRBG. In accordance with FIPS 140-3 IG D.H, the cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys as per [SP 800-133r2] section 4 example 1 (vendor affirmed). The RSA and ECDSA key pairs used for Digital Signature Schemes are generated in accordance with section 5.1 of [SP 800-133r2] and maps specifically to [FIPS 186-5] Appendix A.1.3 (ECDSA) and Appendix A.2.2 (RSA). The ECDH and DH key pairs used for Key Establishment are generated in accordance with section 5.2 of [SP 800-133r2] i.e. key generation method specified in [SP 800-56Ar3]. For this module the applicable method is from [SP 800-56Ar3] section 5.6.1.2 for ECC Key Pair © 2025 F5, Inc.

Page 20

Generation which actually maps to [FIPS 186-5] Appendix A.3.1 and is from [SP 800-56Ar3] section 5.6.1.1 for FFC Key Pair Generation. The module does not implement symmetric key generation as an explicit service. The HMAC and AES symmetric keys are derived from shared secrets by applying [SP 800-135] as part of the TLS/ SSH protocols. The scenario maps to the [SP 800-133r2] section 6.2.1 Symmetric keys generated using Key Agreement Scheme.

2.10 Key Establishment

The module provides the following key establishment services:

128 or 256 bits of encryption strength (AES and HMAC Cert. #A3697).
2.11 Industry Protocols

GCM with internal IV generation in the approved mode is compliant with version 1.2 of the TLS protocol (RFC 5288) and shall only be used in conjunction with the TLS protocol. Additionally, the module implements the TLS 1.2 and SSH key derivation functions for use in the TLS protocol and SSH protocol (RFC 4253 and RFC 6668). The TLS 1.2 and SSHv2 protocols have not been reviewed or tested by the CAVP or CMVP. © 2025 F5, Inc.

Page 21
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

The physical ports mapping to the logical interfaces and the flow of data passing over them are described in the Table below. Physical Port Logical Data That Passes Interface(s) Network Interface (SFP, SFP+, and Data Input TLS/SSH protocol input QSFP+ ports (Ethernet and/or Fiber messages; Configuration Optic) which allow transfer speeds from commands for interface 1Gbps up to 100Gbps management Network Interface (SFP, SFP+, and Data Output TLS/SSH protocol output QSFP+ ports) messages; Status logs Network Interface (SFP, SFP+, and Control Input API which control system state QSFP+ ports) (e.g. reset system, power-off system) Network Interface (SFP, SFP+, and Status API which provides system QSFP+ ports); Display Interface (LEDs, Output status information and/or output to STDOUT Power Interface Power Power Supply (PSU) Table 10: Ports and Interfaces The logical interfaces are the commands through which the users of the module request services. There are no external input or output devices to the module can be used for data input, data output, status output or control input. The module does not implement Control Output interface. © 2025 F5, Inc.

Page 22
4 Roles, Services, and Authentication
4.1 Authentication Methods

Method Name Description Security Strength Strength per Mechanism Each Minute Attempt Role-based The password must Password 1/676,000,000 3/676,000,000 authentication consist of a minimum with Password of 8 characters with at (CLI or Web least one from each of interface) the three-character classes. Character classes are defined as: digits (0-9), ASCII lowercase letters (a-z), ASCII uppercase letters (A-Z). - Assuming a worst-case scenario where the password contains six digits, one ASCII lowercase letter and one ASCII uppercase letter. The probability of guessing every character successfully is (1/10)^6 * (1/26)^1 * (1/26)^1 = 1/676,000,000. Note: this is less than 1/1,000,000. - - The maximum number of login attempts is limited to 3 after which the account is locked. This means that, in the worst case, an attacker has the probability of guessing the password in one minute as 3/676,000,000. Note: This is less than 1/100,000. Role-based The ECDSA using P-256 ECDSA 1/(2^128) 3/676,000,000 authentication or P-384 curves for key SigVer with SSH based authentication (FIPS186-4) ECDSA key-pair yields a minimum (A3697) (CLI only) security-strength of

128 bits . The chance

of a random authentication attempt falsely succeeding is at most 1/(2^128) that is © 2025 F5, Inc.

Page 23

Method Name Description Security Strength Strength per Mechanism Each Minute Attempt less than 1/1,000,000. - The maximum number of login attempts is limited to 3 after which the account switch to password authentication. Then the attacker probability of succeeding to establish the connection depends on the probability of guessing the password and it is, as above, 3/676,000,000 less than 1/100,000. Table 11: Authentication Methods The module supports different roles (one CO role and one User role) which create different authenticated sessions, while achieving the separation between the concurrent operators. Two interfaces can be used to access the module:

4.2 Roles

Name Type Operator Type Authentication Methods Administrator Role CO Role-based authentication with Password (CLI or Web interface) Role-based authentication with SSH ECDSA key-pair (CLI only) © 2025 F5, Inc.

Page 24

Name Type Operator Type Authentication Methods Auditor Role User Role-based authentication with Password (CLI or Web interface) Role-based authentication with SSH ECDSA key-pair (CLI only) Certificate Manager Role User Role-based authentication with Password (CLI or Web interface) Role-based authentication with SSH ECDSA key-pair (CLI only) Manager Role User Role-based authentication with Password (CLI or Web interface) Role-based authentication with SSH ECDSA key-pair (CLI only) iRule Manager Role User Role-based authentication with Password (CLI or Web interface) Role-based authentication with SSH ECDSA key-pair (CLI only) Operator Role User Role-based authentication with Password (CLI or Web interface) Role-based authentication with SSH ECDSA key-pair (CLI only) Resource Manager Role User Role-based authentication with Password (CLI or Web interface) Role-based authentication with SSH ECDSA key-pair (CLI only) User Manager Role User Role-based authentication with Password (CLI or Web interface) Role-based authentication with SSH ECDSA key-pair (CLI only) © 2025 F5, Inc.

Page 25

Table 12: Roles At initialization of the module, the CO is the only available role. Only the CO can create the user roles.

4.3 Approved Services

The service indicator gets recorded in the /var/log remote.log file after the service is executed. For approved services, the indicator is identified with the log message 'Service Indicator: Approved' and for non-approved services the log message includes 'Service Indicator: Not Approved'. For SSH service the service indicator is implicit: when the SSH connection is established the service with the cipher selected is approved. Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access List users Display list None None List of None Administr of all User user ator accounts accounts User Manager Resource Manager Auditor Create Create None Username / Confirmati None Administr additiona additional password on of ator l User User account creation Password :W User Manager Password :W Modify Modify None Username Confirmati None Administr existing existing on of ator Users Users account User modificati Manager on Delete Delete User None Username Confirmati None Administr User on of ator deletion User Manager Unlock Remove None Username Confirmati None Administr User lock from on of ator user who unlock User has Manager exceeded login attempts © 2025 F5, Inc.

Page 26

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access Update Update None Own Confirmati None Administr own own password on of ator password password update of password Password :W Auditor Password :W Certificat e Manager Password :W Manager Password :W iRule Manager Password :W Operator Password :W Resource Manager Password :W User Manager Password :W Update Update None Username / Confirmati None Administr others others password on of ator password password update Password :W User Manager Password :W © 2025 F5, Inc.

Page 27

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access Configur Set None New Confirmati None Administr e password password on of ator Password policy policy configurati Policy features on change Create Self-signed Service Certificate Confirmati Signature Administr TLS certificate Indicat identificatio on of generation ator Certificat creation or: n certificate - TLS RSA e Approv information creation private ed key: E - TLS ECDSA private key: E Certificat e Manager - TLS RSA private key: E - TLS ECDSA private key: E Resource Manager - TLS RSA private key: E - TLS ECDSA private key: E Create Used for Service Key Confirmati Key pair Administr TLS Key the SSL Indicat identificatio on of key generation ator Certificate or: n creation Random - TLS RSA key file Approv information Number private ed Generation in key: G Control Plane - TLS RSA Random public Number key: G Generation in - TLS Data Plane ECDSA private key: G - TLS ECDSA public key: G - DRBG seed : E © 2025 F5, Inc.

Page 28

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access - DRBG internal state (V and key values) : E,W - Entropy input: E Resource Manager - TLS RSA private key: G - TLS RSA public key: G - TLS ECDSA private key: G - TLS ECDSA public key: G - DRBG seed : E - DRBG internal state (V and key values) : E,W - Entropy input: E Certificat e Manager - TLS RSA private key: G - TLS RSA public key: G - TLS ECDSA private key: G - TLS ECDSA public key: G © 2025 F5, Inc.

Page 29

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access - DRBG seed : E - DRBG internal state (V and key values) : E,W - Entropy input: E Delete Self-signed None Key Confirmati None Administr TLS certificate / identificatio on of key / ator Certificat key n certificate - TLS RSA e /Key deletion information deletion private key: Z - TLS RSA public key: Z - TLS ECDSA private key: Z - TLS ECDSA public key: Z Resource Manager - TLS RSA private key: Z - TLS RSA public key: Z - TLS ECDSA private key: Z - TLS ECDSA public key: Z Certificat e Manager - TLS RSA private key: Z - TLS RSA public © 2025 F5, Inc.

Page 30

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access key: Z - TLS ECDSA private key: Z - TLS ECDSA public key: Z List Display / None List of Certificate None Administr Certificat log certificates expiration ator e expiration to display informatio Auditor data of n Certificat installed e certificates Manager Resource Manager List List private None List of TLS None Administr Private key private private ator Keys information keys to key Auditor (Name, display informatio Certificat size) n e Manager Resource Manager Establish SSH SSH User / Confirmati Signature Administr SSH session Key connect address / on of SSH generation ator session authenticat ion password / session Signature - SSH ion, Key success algorithms authentica verification ECDSA Exchange ful / key sizes / tion, SSH Handshake public key Confirmati key: E derivation on of SSH session Password key : W,E exchange - SSH EC DiffieHellman public key: G,R,W,E - SSH EC DiffieHellman private key: G,R,W,E - SSH shared secret: G - SSH © 2025 F5, Inc.

Page 31

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access derived session key : E Auditor - SSH ECDSA public key: E Password : W,E - SSH EC DiffieHellman public key: G,R,W,E - SSH EC DiffieHellman private key: G,R,W,E - SSH shared secret: G - SSH derived session key : E Certificat e Manager - SSH ECDSA public key: E Password : W,E - SSH EC DiffieHellman public key: G,R,W,E - SSH EC DiffieHellman private key: © 2025 F5, Inc.

Page 32

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access G,R,W,E - SSH shared secret: G - SSH derived session key : E Manager - SSH ECDSA public key: E Password : W,E - SSH EC DiffieHellman public key: G,R,W,E - SSH EC DiffieHellman private key: G,R,W,E - SSH shared secret: G - SSH derived session key : E iRule Manager - SSH ECDSA public key: E Password : W,E - SSH EC DiffieHellman public key: G,R,W,E - SSH EC © 2025 F5, Inc.

Page 33

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access DiffieHellman private key: G,R,W,E - SSH shared secret: G - SSH derived session key : E Operator - SSH ECDSA public key: E Password : W,E - SSH EC DiffieHellman public key: G,R,W,E - SSH EC DiffieHellman private key: G,R,W,E - SSH shared secret: G - SSH derived session key : E Resource Manager - SSH ECDSA public key: E Password : W,E - SSH EC DiffieHellman © 2025 F5, Inc.

Page 34

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access public key: G,R,W,E - SSH EC DiffieHellman private key: G,R,W,E - SSH shared secret: G - SSH derived session key : E User Manager - SSH ECDSA public key: E Password : W,E - SSH EC DiffieHellman public key: G,R,W,E - SSH EC DiffieHellman private key: G,R,W,E - SSH shared secret: G - SSH derived session key : E Maintain SSH data SSH SSH SSH Key Administr SSH encryption, connect Derived session Wrapping/Unwr ator Session decryption, ion Session informatio apping with - SSH integrity success key n encryption and derived ful authentication session in SSH key : E © 2025 F5, Inc.

Page 35

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access Auditor - SSH derived session key : E Certificat e Manager - SSH derived session key : E Manager - SSH derived session key : E iRule Manager - SSH derived session key : E Operator - SSH derived session key : E Resource Manager - SSH derived session key : E User Manager - SSH derived session key : E Establish TLS session Service Address / Confirmati Signature Administr TLS signature Indicat algorithms/ on of verification ator Session generation or: keys digital Message digest - TLS RSA and Approv signature TLS Handshake public verification ed verificatio (ECC) key: R , key n of TLS TLS Handshake - TLS exchange session, (FFC) ECDSA Confirmati public on of key: R establishm - TLS EC © 2025 F5, Inc.

Page 36

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access ent of TLS Diffiesession Hellman private key: E - TLS EC DiffieHellman public key: W - TLS DiffieHellman private key: E - TLS DiffieHellman public key: W - TLS preprimary secret : E,G - TLS derived session key : G - TLS primary secret: G Auditor - TLS RSA public key: R - TLS ECDSA public key: R - TLS EC DiffieHellman private key: E - TLS EC DiffieHellman public key: W - TLS DiffieHellman © 2025 F5, Inc.

Page 37

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access private key: E - TLS DiffieHellman public key: W - TLS preprimary secret : E,G - TLS derived session key : G - TLS primary secret: G Certificat e Manager - TLS RSA public key: R - TLS ECDSA public key: R - TLS EC DiffieHellman private key: E - TLS EC DiffieHellman public key: W - TLS DiffieHellman private key: E - TLS DiffieHellman public key: W - TLS preprimary secret : © 2025 F5, Inc.

Page 38

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access E,G - TLS derived session key : G - TLS primary secret: G Manager - TLS RSA public key: R - TLS ECDSA public key: R - TLS EC DiffieHellman private key: E - TLS EC DiffieHellman public key: W - TLS DiffieHellman private key: E - TLS DiffieHellman public key: W - TLS preprimary secret : E,G - TLS derived session key : G - TLS primary secret: G iRule Manager - TLS RSA public © 2025 F5, Inc.

Page 39

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access key: R - TLS ECDSA public key: R - TLS EC DiffieHellman private key: E - TLS EC DiffieHellman public key: W - TLS DiffieHellman private key: E - TLS DiffieHellman public key: W - TLS preprimary secret : E,G - TLS derived session key : G - TLS primary secret: G Operator - TLS RSA public key: R - TLS ECDSA public key: R - TLS EC DiffieHellman private key: E - TLS EC Diffie© 2025 F5, Inc.

Page 40

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access Hellman public key: W - TLS DiffieHellman private key: E - TLS DiffieHellman public key: W - TLS preprimary secret : E,G - TLS derived session key : G - TLS primary secret: G Resource Manager - TLS RSA public key: R - TLS ECDSA public key: R - TLS EC DiffieHellman private key: E - TLS EC DiffieHellman public key: W - TLS DiffieHellman private key: E - TLS DiffieHellman © 2025 F5, Inc.

Page 41

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access public key: W - TLS preprimary secret : E,G - TLS derived session key : G - TLS primary secret: G User Manager - TLS RSA public key: R - TLS ECDSA public key: R - TLS EC DiffieHellman private key: E - TLS EC DiffieHellman public key: W - TLS DiffieHellman private key: E - TLS DiffieHellman public key: W - TLS preprimary secret : E,G - TLS derived session key : G - TLS © 2025 F5, Inc.

Page 42

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access primary secret: G Maintain TLS data Service TLS TLS Key Administr TLS encryption, Indicat Derived session Wrapping/Unwr ator Session authenticat or: Session informatio apping with - TLS ion Approv key n authenticated derived ed encryption session Key key : E Wrapping/Unwr Auditor apping with - TLS encryption and derived authentication session in TLS key : E Certificat e Manager - TLS derived session key : E Manager - TLS derived session key : E iRule Manager - TLS derived session key : E Operator - TLS derived session key : E Resource Manager - TLS derived session key : E User Manager - TLS derived session key : E © 2025 F5, Inc.

Page 43

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access Delete Utility None SSH key to Confirmati None Administr ssh- service delete on of SSH ator keyswap delete ssh key - SSH keys deletion ECDSA private key: Z - SSH ECDSA public key: Z Resource Manager - SSH ECDSA private key: Z - SSH ECDSA public key: Z Reboot Restart the Module None Confirmati None Administr System cryptograp reboots on of ator hic module system - TLS reboot primary secret: Z - TLS derived session key : Z Secure Full system Module Selection Confirmati None Administr Erase zeroization end of option on of full ator life system - TLS RSA zeroization private key: Z - TLS RSA public key: Z - TLS ECDSA private key: Z - TLS ECDSA public key: Z - SSH ECDSA public key: Z - SSH © 2025 F5, Inc.

Page 44

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access ECDSA private key: Z Password :Z Show Return the N/A N/A Module None Administr version HW and FW name and ator versions version Auditor and the Certificat module's e name Manager Manager iRule Manager Operator Resource Manager User Manager Show Return the N/A N/A Module None Administr Status module status ator status Auditor Certificat e Manager Manager iRule Manager Operator Resource Manager User Manager Close Closing TLS N/A N/A Confirmati None Administr TLS / SSH / SSH on of ator session session TLS/SSH - TLS EC session Diffieclosure Hellman private key: Z - TLS EC DiffieHellman public key: Z - TLS preprimary secret : Z - TLS © 2025 F5, Inc.

Page 45

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access primary secret: Z - TLS derived session key : Z - SSH shared secret: Z - SSH derived session key : Z - SSH EC DiffieHellman private key: Z - SSH EC DiffieHellman public key: Z - TLS DiffieHellman public key: Z - TLS DiffieHellman private key: Z Auditor - TLS EC DiffieHellman private key: Z - TLS EC DiffieHellman public key: Z - TLS preprimary secret : Z - TLS primary secret: Z - TLS © 2025 F5, Inc.

Page 46

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access derived session key : Z - SSH shared secret: Z - SSH derived session key : Z - SSH EC DiffieHellman private key: Z - SSH EC DiffieHellman public key: Z - TLS DiffieHellman public key: Z - TLS DiffieHellman private key: Z Certificat e Manager - TLS EC DiffieHellman private key: Z - TLS EC DiffieHellman public key: Z - TLS preprimary secret : Z - TLS primary secret: Z - TLS derived © 2025 F5, Inc.

Page 47

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access session key : Z - SSH shared secret: Z - SSH derived session key : Z - SSH EC DiffieHellman private key: Z - SSH EC DiffieHellman public key: Z - TLS DiffieHellman public key: Z - TLS DiffieHellman private key: Z Manager - TLS EC DiffieHellman public key: Z - TLS EC DiffieHellman private key: Z - TLS preprimary secret : Z - TLS primary secret: Z - TLS derived session key : Z - SSH © 2025 F5, Inc.

Page 48

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access shared secret: Z - SSH derived session key : Z - SSH EC DiffieHellman private key: Z - SSH EC DiffieHellman public key: Z - TLS DiffieHellman public key: Z - TLS DiffieHellman private key: Z iRule Manager - TLS EC DiffieHellman public key: Z - TLS EC DiffieHellman private key: Z - TLS preprimary secret : Z - TLS primary secret: Z - TLS derived session key : Z - SSH shared secret: Z © 2025 F5, Inc.

Page 49

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access - SSH derived session key : Z - SSH EC DiffieHellman private key: Z - SSH EC DiffieHellman public key: Z - TLS DiffieHellman public key: Z - TLS DiffieHellman private key: Z Operator - TLS EC DiffieHellman private key: Z - TLS EC DiffieHellman public key: Z - TLS preprimary secret : Z - TLS primary secret: Z - TLS derived session key : Z - SSH shared secret: Z - SSH derived session © 2025 F5, Inc.

Page 50

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access key : Z - SSH EC DiffieHellman private key: Z - SSH EC DiffieHellman public key: Z - TLS DiffieHellman public key: Z - TLS DiffieHellman private key: Z Resource Manager - TLS EC DiffieHellman public key: Z - TLS EC DiffieHellman private key: Z - TLS preprimary secret : Z - TLS primary secret: Z - TLS derived session key : Z - SSH shared secret: Z - SSH derived session key : Z - SSH EC © 2025 F5, Inc.

Page 51

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access DiffieHellman private key: Z - SSH EC DiffieHellman public key: Z - TLS DiffieHellman public key: Z - TLS DiffieHellman private key: Z User Manager - TLS EC DiffieHellman private key: Z - TLS EC DiffieHellman public key: Z - TLS preprimary secret : Z - TLS primary secret: Z - TLS derived session key : Z - SSH derived session key : Z - SSH EC DiffieHellman private key: Z - SSH EC © 2025 F5, Inc.

Page 52

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access DiffieHellman public key: Z - TLS DiffieHellman public key: Z - TLS DiffieHellman private key: Z Self-tests Execute Integrit N/A Pass or fail Key pair Administr integrity y test, generation ator test. CASTs Key pair Auditor Execute from verification Certificat the CASTs section Signature e

10 generation Manager

Signature Manager verification iRule Random Manager Number Operator Generation in Resource Control Plane Manager Random User Number Manager Generation in Data Plane Show Return N/A N/A FIPS None Administr license license license ator indication informatio Auditor n Certificat e Manager Manager iRule Manager Operator Resource Manager User Manager Import Import TLS None Certificate Confirmati None Administr TLS Certificate to import on of ator Certificat import of - TLS RSA e certificate public key: W - TLS © 2025 F5, Inc.

Page 53

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access ECDSA public key: W Certificat e Manager - TLS RSA public key: W - TLS ECDSA public key: W Export Export None Certificate Exported None Administr Certificat Certificate to export Certificate ator e File File file - TLS ECDSA public key: R - TLS RSA public key: R Certificat e Manager - TLS RSA public key: R - TLS ECDSA public key: R Create Utility Service SSH key to Confirmati Key pair Administr ssh- service Indicat create on of SSH generation ator keyswap create ssh or: key - SSH keys Approv creation ECDSA ed private key: G - SSH ECDSA public key: G Resource Manager - SSH ECDSA private key: G - SSH ECDSA © 2025 F5, Inc.

Page 54

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access public key: G Configur Set policy None Policy Confirmati None Administr e Firewall rules, and rules, on of ator address address policy lists for use lists configurati by firewall on rules Show Display the None N/A Display None Administr firewall current the ator state system- current Manager wide state system of firewall wide state rules of the firewall rules. Shows Shows None N/A List of None Administr statistics statistics of statistics ator firewall of firewall Manager rules on rules the BIG-IP system View Display None N/A Display of None Administr System logs/files of system ator Audit Log configurati audit logs Auditor on changes Resource Manager Export Export None N/A Display None Administr Analytics Analytics System ator Logs Logs Analytics Auditor System System Logs Enable/ Enable/ None N/A Confirmati None Administr Disable Disable on of ator Audit Audit enabling Resource or Manager disabling of audit Configur Enable None Boot Confirmati None Administr e Boot Quiet boot, options on of ator Options Manage configurati Resource boot on of boot Manager locations options Configur Enable / None SSH access Confirmati None Administr e SSH Disable / IP address on of ator access SSH list configurati Resource options access, on of SSH Manager Configure access options © 2025 F5, Inc.

Page 55

Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access IP address allow list Configur Update None ssh/ Confirmati None Administr e SSH ssh/ authorized_ on of ator user authorized_ keys file configurati - SSH configura keys file for on of SSH ECDSA tion user user public authenticat configurati key: W ion on Configur Configure None Firewall Confirmati None Administr e Firewall Firewall user and on of ator Users Users configurati configurati on on information Modify Enable / None Which Confirmati None Administr nodes Disable nodes and on of ator and pool nodes and pool modificati members pool members on of members to modify nodes and pool members Configur Create, None List of Confirmati None Administr e nodes modify, nodes to on of ator view, create / creation / Manager delete modify / modificati Resource nodes view / on / Manager delete display / deletion of nodes Configur Create, None List of Confirmati None Administr e iRules modify, iRules to on of ator view, create / creation / Manager delete, modify/ modificati Resource iRules view/ on / Manager delete display / deletion of iRules Table 13: Approved Services For the above table, the convention below applies when specifying the access permissions (types) that the service has for each SSP. G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroize: The module zeroizes the SSP. © 2025 F5, Inc.

Page 56
4.4 Non-Approved Services

Name Description Algorithms Role Maintain TLS Data encryption, HMAC-SHA2-224, HMAC-SHA2-512 CO / session Data authentication Triple-DES, Camellia, SEED User DSA with all key and SHA sizes SSLO Management of the TLS ciphersuites implemented by f5- CO / Configuration and module protected by rest-node User usage iApplx authentication iControl REST Access to the RSA keypair with 2048, 3072 and 4096 CO / access system through (REST API) User REST API IPsec /IKEv2 Protocol HMAC-SHA2-256, HMAC-SHA2-512, CO / configuration AES-GCM User Diffie-Hellman using MODP1024, MODP2048 groups Triple-DES, AES-GCM-128, AES-192, AES-256 Simple network Protocol SHA-1, AES-ECB, RSA- signature CO / management configuration verification User protocol (SNMP) Establish TLS Signature PKCS #1 v1.5 scheme with modulus CO / session generation and other than 2048, 3072 or 4096 bits, for User verification, Key all SHA sizes Exchange PKCS #1 v1.5 and PSS schema with modulus size 2048, 3072, 4096 bits with SHA-1, SHA2-224, SHA2-512; ANS X9.31 PKCS #1 v1.5 and PSS schema with modulus size 2048, 3072, 4096 bits with SHA2-224, SHA2-512 ECDSA with curves P-256, P-384 with SHA-1, SHA2-224, SHA2-512; ECDSA using curves other than P-256 and P384, all SHA sizes ECDSA with curves P-256, P-384 with SHA2-224, SHA2-512; ECDSA using curves other than P-256 and P-384, all SHA sizes RSA with modulus sizes up to 16384 bits MD5/ SHA-1/ SHA2-224 / SHA2-512 EdDSA with Ed25519 EC Diffie-Hellman Ephemeral Unified with curves other than P-256, P-384. EC Diffie-Hellman using onePassDH / StaticUnified schemes. Diffie-Hellman using groups other than ffdhe2048, ffdhe3072, ffdhe4096 Table 14: Non-Approved Services © 2025 F5, Inc.

Page 57
4.5 External Software/Firmware Loaded
Page 58
5 Software/Firmware Security
5.1 Integrity Techniques

The integrity of the module is using the approved integrity technique HMAC-SHA-384. Integrity tests are performed as part of the Pre-Operational Self-Tests. The HMAC key used for integrity check is stored within the module.

5.2 Initiate on Demand

The on demand integrity test is performed as part of the Pre-Operational Self-Tests by powering the module off and powering it on again. © 2025 F5, Inc.

Page 59
6 Operational Environment
6.1 Operational Environment Type and Requirements

The module operates in a non-modifiable operational environment provided by F5 called TMOS 17.1.0.1. The module is a hardware validated at a Security Level 2 in Physical Security. Once the module is operational, it does not allow the loading of any additional firmware. There are no further requirements for this security area. Type of Operational Environment: Non-Modifiable © 2025 F5, Inc.

Page 60
7 Physical Security
7.1 Mechanisms and Actions Required

Mechanism Inspection Inspection Guidance Frequency Production N/A N/A grade enclosure (SL1) Opaque N/A N/A enclosure (SL2) Tamper Once per The Crypto Officer/ Administrator is responsible for Evident Labels month inspecting the quality of the tamper labels on a regular (SL2) basis to confirm that the module has not been tampered with. The Crypto Officer/ Administrator checks the quality of the tamper evident labels for any sign of removal, replacement, tearing, etc. If any label is found to be damaged or missing, a kit providing 25 tamper labels is available for purchase. Table 15: Mechanisms and Actions Required

7.2 User Placed Tamper Seals

Number: Hardware Appliance # of Tamper Labels BIG-IP i4600, 8 BIG-IP i4800 BIG-IP i5600, BIG-IP i5800 7 BIG-IP i5820-DF BIG-IP i7600 BIG-IP i7800 8 BIG-IP i7820-DF BIG-IP i10600 7 BIG-IP i10800 BIG-IP i11600-DS 7 BIG-IP i11800-DS BIG-IP i15600 BIG-IP i15800 7 BIG-IP i15800-DF VIPRION C2400-B2250 1 VIPRION C4480-B4450 2 Placement: The pictures below show the location of all tamper evident labels for each hardware appliance. The tamper labels are delineated with red circles in the pictures below. © 2025 F5, Inc.

Page 61

Figure 9 - Tamper labels on BIG-IP i4600 and BIG-IP i4800 (8 of 8 tamper labels and one opaque screen on second PSU slot) Figure 10

Page 62

Figure 11

Page 63

Figure 13

1 label on the front, 4 labels on the sides, 2 tamper labels shown circled in orange to mark with

evidence the unauthorized removal of the fan tray and PSUs (replaceable items) that give access to replaceable storage drives. Figure 14

Page 64

Figure 15

7.3 Filler Panels

Hardware Appliance # of Filler Panels BIG-IP i4600, 1 (blank PSU slot) BIG-IP i4800 BIG-IP i5600, BIG-IP i5800 1 (blank PSU slot) BIG-IP i5820-DF BIG-IP i7600 BIG-IP i7800 0 BIG-IP i7820-DF BIG-IP i10600 0 BIG-IP i10800 BIG-IP i11600-DS 0 BIG-IP i11800-DS BIG-IP i15600 BIG-IP i15800 0 BIG-IP i15800-DF © 2025 F5, Inc.

Page 65

Hardware Appliance # of Filler Panels VIPRION C2400-B2250 1 (blank blade slot under blade B2250) VIPRION C4480-B4450 1 (blank blade slot over blade B4450) © 2025 F5, Inc.

Page 66
8 Non-Invasive Security

Per IG 12.A: Until requirements of SP 800-140F are defined, non-invasive mechanisms fall under ISO / IEC 19790:2012 Section 7.12 Mitigation of other attacks. © 2025 F5, Inc.

Page 67
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Description Persistence Area Type Name RAM The keys are stored in plaintext form are only accessible to the Dynamic authenticated operator, to which the SSPs are associated SSD/ The keys stored in plaintext and the password will remain on Static HDD the system across power cycle and are only accessible to the authenticated operator to which the SSPs are associated Table 16: Storage Areas

9.2 SSP Input-Output Methods

Name From To Format Distribution Entry SFI or Type Type Type Algorithm SSPs input during User Module Encrypted Automated Electronic TLS/SSH sessions Public key output Module User Plaintext Automated Electronic during protocol handshake Public key input User Module Plaintext Automated Electronic during protocol handshake Table 17: SSP Input-Output Methods The module only allows entry/output of public keys in plaintext from outside of the module's cryptographic boundary as part of protocol handshake process. Once TLS/SSH session is established any key or data transfer performed thereafter is protected by authenticated encryption provided by the respective protocol

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Initiation Method Secure Erase Single pass All SSPs present in The Crypto Officer/ zeroization erasing the module are Administrator is calling the the HDD or SSD erased including Secure Erase service which contents and the the one in the non- can only be triggered during module itself volatile memory reboot of the test platform Reboot Clear the SSPs Volatile memory The Crypto System present in RAM used by the module Officer/Administrator is memory is overwritten calling Reboot System service within nanoseconds when the system is reboot. © 2025 F5, Inc.

Page 68

Zeroization Description Rationale Operator Initiation Method Delete SSH Destruction of the Zeroization service The Administrator or keyswap selected SSH overwrites the Resource Manager are calling ECDSA memory occupied the Delete SSH keyswap authentication key by keys with "zeros" service or pre-defined values. Closing Zeroization of all SSP values Closing TLS/SSH Connection TLS/SSH session specific generated during Connection keys key generation services are zeroized by the module Table 18: SSP Zeroization Methods

9.4 SSPs

Name Descriptio Size - Type - Generat Establish Used By n Strength Category ed By ed By TLS RSA private Modulus N: Asymmet Key pair Signatur RSA key used for 2048 and 4096- ric - CSP generatio e private RSA bits - 112 and n generatio key signature 150-bits n generation in TLS protocol TLS RSA public Modulus N: Asymmet Key pair Signatur RSA key used for 2048 and 4096- ric - PSP generatio e public RSA bits - 112 and n verificati key signature 150-bits on verification in TLS protocol TLS ECDSA Curve: P-256, P- Asymmet Key pair Signatur ECDSA private key 384 - 128 and ric - CSP generatio e private used for EC 192-bits n generatio key signature n generation, shared secret computatio n in TLS protocol TLS ECDSA Curve: P-256, P- Asymmet Key pair Key pair ECDSA public key 384 - 128 and ric - PSP generatio verificati public used for EC 192-bits n on key signature Signatur verification, e shared verificati secret on © 2025 F5, Inc.

Page 69

Name Descriptio Size - Type - Generat Establish Used By n Strength Category ed By ed By computatio n in TLS protocol TLS EC TLS EC Curve: P-256, P- Asymmet Key pair Signatur Diffie- Diffie- 384 - 128 and ric - CSP generatio e Hellma Hellman 192-bits n generatio n private key n private used for EC key signature generation, shared secret computatio n in TLS protocol TLS EC EC Diffie- Curve: P-256, P- Asymmet Key pair Key pair Diffie- Hellman 384 - 128 and ric - PSP generatio verificati Hellma public key 192-bits n on n public used for Signatur key signature e verification, verificati shared on secret computatio n in TLS protocol TLS TLS pre- Curve: ECDH: P- Asymmet TLS TLS pre- primary 256, P-384 / ric - CSP Handshake Handsha primary secret used Curve: DH: (ECC) ke (ECC) secret for deriving ffdhe2048, TLS TLS the TLS ffdhe3072, Handshake Handsha primary ffdhe4096 - (FFC) ke (FFC) secret ECDH: 128 and 192-bits / DH: 112, 128, 150bits TLS TLS primary 384-bits - 128 Pre- TLS TLS primary secret used or 192-bits primary Handshake Handsha secret for deriving secret - (ECC) ke (ECC) the TLS CSP derived key TLS TLS derived Key length: Symmetri TLS TLS derived session key 128 and 256- c Key - Handshake Handsha session from TLS bits (AES); CSP (ECC) ke (ECC) key primary HMAC_SHA1, TLS TLS secret HMAC-SHA2- Handshake Handsha 256, HMAC- (FFC) ke (FFC) SHA2-382 - 128 or 192 bits © 2025 F5, Inc.

Page 70

Name Descriptio Size - Type - Generat Establish Used By n Strength Category ed By ed By SSH SSH shared Curve: P-256, P- Symmetri SSH SSH shared secret used 384 - 128 or c Key - Handshake Handsha secret for deriving 192-bits CSP ke the SSH key SSH SSH derived Key length: 128 Shared SSH SSH derived session key and 256-bits secret - Handshak Handsha session (AES);HMAC_SH CSP e ke key A1, HMACSHA2-256, - 128 or 192 bits Entropy Entropy 384 bits - 384 Random Random input input string bits number Number used to generatio Generati seed the n - CSP on in DRBG Control Plane Random Number Generati on in Data Plane DRBG DRBG seed 384 bits - 384 Random Random Random seed derived bits number Number Number from generatio Generatio Generati entropy n - CSP n in on in input as Control Control defined in Plane Plane SP 800- Random Random 90Ar1 Number Number Generatio Generati n in Data on in Plane Data Plane DRBG Internal 384 bits - 384 Random Random Random internal state of bits number Number Number state (V CTR_DRBG generatio Generatio Generati and key n - CSP n in on in values) Control Control Plane Plane Random Random Number Number Generatio Generati n in Data on in Plane Data Plane SSH ECDSA Curve: P-256, P- Asymmet Key pair ECDSA private key 384 - 128 and ric - CSP generatio used for 192-bits n © 2025 F5, Inc.

Page 71

Name Descriptio Size - Type - Generat Establish Used By n Strength Category ed By ed By private key-based key authenticati on in SSH protocol SSH ECDSA Curve: P-256, P- Asymmet Key pair ECDSA private key 384 - 128 and ric - PSP generatio public used for 192-bits n key key-based authenticati on in SSH protocol SSH EC EC Diffie- Curve: P-256, P- Asymmet Key pair Signatur Diffie- Hellman 384 - 128 and ric - CSP generatio e Hellma private key 192-bits n generatio n used for key n private exchange in key SSH protocol SSH EC EC Diffie- Curve: P-256, P- Asymmet Key pair Key pair Diffie- Hellman 384 - 128 and ric - PSP generatio verificati Hellma private key 192-bits n on n public used for key Signatur key exchange in e SSH verificati protocol on Passwo Password 8 characters - Password rd input by the 1/676,000,000 - CSP User or CO during creation of a new user or updating an existing password TLS TLS Diffie- Curve: Asymmet Key pair Key pair Diffie- Hellman ffdhe2048, ric - PSP generatio verificati Hellma private key ffdhe3072, n on n public used for EC ffdhe4096 - 112 Signatur key signature to 150-bits e generation, verificati shared on secret TLS computatio Handsha n in TLS ke (FFC) protocol TLS TLS Diffie- Curve: Asymmet Key pair Signatur Diffie- Hellman ffdhe2048, ric - CSP generatio e Hellma public key ffdhe3072, n generatio n used for n © 2025 F5, Inc.

Page 72

Name Descriptio Size - Type - Generat Establish Used By n Strength Category ed By ed By private signature ffdhe4096 - 112 TLS key verification, to 150-bits Handsha shared ke (FFC) secret computatio n in TLS protocol Table 19: SSP Table 1 Name Input - Storage Storage Zeroization Related SSPs Output Duration TLS RSA SSD/ From Secure Erase RSA public private HDD:Plaintext handle key:Paired With key creation until freeing the cipher handle TLS RSA Public key SSD/ From Secure Erase RSA private public key input during HDD:Plaintext handle key:Paired With protocol creation handshake until Public key freeing the output cipher during handle protocol handshake TLS SSD/ From Secure Erase ECDSA public ECDSA HDD:Plaintext handle key:Paired With private creation key until freeing the cipher handle TLS Public key SSD/ From Secure Erase ECDSA private ECDSA input during HDD:Plaintext handle key:Paired With public key protocol creation handshake until Public key freeing the output cipher during handle protocol handshake TLS EC RAM:Plaintext From Reboot EC DiffieDiffie- handle System Hellman public Hellman creation Closing key:Paired With private until TLS/SSH key freeing the Connection © 2025 F5, Inc.

Page 73

Name Input - Storage Storage Zeroization Related SSPs Output Duration cipher handle TLS EC Public key RAM:Plaintext From Reboot EC DiffieDiffie- input during handle System Hellman private Hellman protocol creation Closing key:Paired With public key handshake until TLS/SSH Public key freeing the Connection output cipher during handle protocol handshake TLS pre- RAM:Plaintext From Reboot TLS primary primary handle System secret:Used secret creation Closing With until TLS/SSH freeing the Connection cipher handle TLS RAM:Plaintext From Reboot TLS pre-primary primary handle System secret :Used secret creation Closing With until TLS/SSH freeing the Connection cipher handle TLS RAM:Plaintext From Reboot TLS primary derived handle System secret:Derived session creation Closing From key until TLS/SSH freeing the Connection cipher handle SSH RAM:Plaintext From Reboot SSH derived shared handle System session key secret creation Closing :Used With until TLS/SSH freeing the Connection cipher handle SSH RAM:Plaintext From Reboot SSH shared derived handle System secret:Derived session creation Closing From key until TLS/SSH freeing the Connection cipher handle Entropy RAM:Plaintext Storage Reboot DRBG seed input duration System :Used With © 2025 F5, Inc.

Page 74

Name Input - Storage Storage Zeroization Related SSPs Output Duration during the usage of the CSP DRBG RAM:Plaintext Storage Reboot DRBG internal seed duration System state (V and key during the values) :Used usage of With the CSP DRBG RAM:Plaintext Storage Reboot DRBG seed internal duration System :Used With state (V during the and key usage of values) the CSP SSH SSD/ From Secure Erase ECDSA HDD:Plaintext handle Delete SSH private creation keyswap key until freeing the cipher handle SSH SSPs input SSD/ From Secure Erase ECDSA during HDD:Plaintext handle Delete SSH public key TLS/SSH creation keyswap sessions until freeing the cipher handle SSH EC RAM:Plaintext From Reboot Diffie- handle System Hellman creation Closing private until TLS/SSH key freeing the Connection cipher handle SSH EC Public key RAM:Plaintext From Reboot Diffie- output handle System Hellman during creation Closing public key protocol until TLS/SSH handshake freeing the Connection Public key cipher input during handle protocol handshake Password SSPs input SSD/ From Secure Erase during HDD:Plaintext handle TLS/SSH creation sessions until freeing the © 2025 F5, Inc.

Page 75

Name Input - Storage Storage Zeroization Related SSPs Output Duration cipher handle TLS Diffie- Public key SSD/ From Reboot Hellman output HDD:Plaintext handle System public key during creation Closing protocol until TLS/SSH handshake freeing the Connection Public key cipher input during handle protocol handshake TLS Diffie- SSD/ From Reboot Hellman HDD:Plaintext handle System private creation Closing key until TLS/SSH freeing the Connection cipher handle Table 20: SSP Table 2 © 2025 F5, Inc.

Page 76
10 Self-Tests

At power-up the module performed the pre-operational self-tests (the integrity test) and the conditional cryptographic algorithm tests (CASTs). Both the pre-operational tests and conditional tests are performed without operator intervention, without any external controls, externally provided test vectors, output results and the determination of pass of fail is done by the module. If the module fails any of the tests, the module transitions to the error state and a corresponding error indication is given. The module becomes inoperable, and no services are available. Data output and cryptographic operations are inhibited while the module is in the error State.

10.1 Pre-Operational Self-Tests

Algorithm Test Test Method Test Indicator Details or Test Properties Type HMAC- HMAC key: Message SW/FW Module Integrity of the SHA2-384 384-bits Authentication Integrity becomes module is verified (A3698) operational by comparing the HMAC-SHA2-384 value calculated at runtime with the HMAC-SHA2-384 value stored in the module that was computed at build time HMAC- HMAC key: Message SW/FW Module Integrity of the SHA2-384 384-bits Authentication Integrity becomes module is verified (A3697) operational by comparing the HMAC-SHA2-384 value calculated at runtime with the HMAC-SHA2-384 value stored in the module that was computed at build time Table 21: Pre-Operational Self-Tests The pre-operational self-tests are performed automatically when the module is powered on. Services are not available during the pre-operational self-test and the data output interface is inhibited. On successful completion of the pre-operational self-tests, the module enters operational mode and cryptographic services are available. © 2025 F5, Inc.

Page 77
10.2 Conditional Self-Tests

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type Counter AES-256 in KAT CAST Module SP 800- Test runs at DRBG CTR mode, becomes 90ARev1 power on (A3697) with and operational section 11.3 without health tests derivation function, prediction resistance disabled AES-CBC 128-bit key KAT CAST Module Encryption / Test runs at (A3698) becomes decryption power on operational AES-GCM 128-bit key KAT CAST Module Encryption / Test runs at (A3698) becomes decryption power on operational RSA SigGen 2048 bit key KAT CAST Module Signature Test runs at (FIPS186-4) and SHA2- becomes generation power on (A3698) 256 operational RSA SigVer 2048 bit key KAT CAST Module Signature Test runs at (FIPS186-4) and SHA2- becomes verification power on (A3698) 256 operational RSA KeyGen Requested PCT PCT Asymmetric Calculation Key (FIPS186-4) modulus algorithm is and generation (A3697) size, SHA2- performed verification

256 of a digital

signature ECDSA P-256 and KAT CAST Module Signature Test runs at SigGen SHA2-256 becomes generation power on (FIPS186-4) operational (A3698) ECDSA Requested PCT PCT Asymmetric Calculation Key KeyGen curve size, algorithm is and generation (FIPS186-4) SHA2-256 performed verification (A3698) of a digital signature KAS-ECC- P-256 KAT CAST Module Shared Test runs at SSC Sp800- becomes secret power on 56Ar3 operational computation (A3698) HMAC-SHA-1 HMAC-SHA- KAT CAST Module MAC Test runs at (A3697) 1 becomes power on operational HMAC-SHA2- HMAC- KAT CAST Module MAC Test runs at

256 (A3698) SHA2-256 becomes power on

Page 78

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type TLS v1.2 KDF SHA-256 KAT CAST Module Key Test runs at RFC7627 becomes derivation power on (A3698) operational used in the TLS protocol KDF SSH SHA-256 KAT CAST Module Key Test runs at (A3697) becomes derivation power on operational used in the SSH protocol HMAC-SHA2- HMAC-SHA- KAT CAST Module MAC Test runs at

384 (A3697) 384 becomes power on

operational AES-GCM 128-bit key KAT CAST Module Encryption / Test runs at (A3697) becomes decryption power on operational RSA SigGen 2048 bit key KAT CAST Module Signature Test runs at (FIPS186-4) and SHA2- becomes generation power on (A3697) 256 operational RSA SigVer 2048 bit key KAT CAST Module Signature Test runs at (FIPS186-4) and SHA2- becomes verification power on (A3697) 256 operational KAS-ECC- P-256 KAT CAST Module Shared Test runs at SSC Sp800- becomes secret power on 56Ar3 operational computation (A3697) ECDSA P-256 and KAT CAST Module Signature Test runs at SigVer SHA2-256 becomes verification power on (FIPS186-4) operational (A3698) Safe Primes Requested PCT PCT Asymmetric Calculation Key Key curve size algorithm is and generation Generation performed verification (A3698) of shared secret KAS-FFC-SSC ffdhe2048 KAT CAST Module Shared Test runs at Sp800-56Ar3 becomes secret power on (A3698) operational computation HMAC-SHA2- HMAC-SHA- KAT CAST Module MAC Test runs at

384 (A3698) 384 becomes power on

operational Safe Primes Requested PCT PCT Asymmetric Calculation Key Key curve size algorithm is and generation Generation performed verification (A3697) of shared secret ECDSA Requested PCT PCT Asymmetric Calculation Key KeyGen curve size, algorithm is and generation SHA2-256 performed verification © 2025 F5, Inc.

Page 79

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type (FIPS186-4) of a digital (A3697) signature ECDSA P-256 and KAT CAST Module Signature Test runs at SigGen SHA2-256 becomes generation power on (FIPS186-4) operational (A3697) ECDSA P-256 and KAT CAST Module Signature Test runs at SigVer SHA2-256 becomes verification power on (FIPS186-4) operational (A3697) KAS-FFC-SSC ffdhe2048 KAT CAST Module Shared Test runs at Sp800-56Ar3 becomes secret power on (A3697) operational computation HMAC-SHA2- HMAC-SHA- KAT CAST Module MAC Test runs at

256 (A3697) 256 becomes power on

operational TLS v1.2 KDF SHA-256 KAT CAST Module Key Test runs at RFC7627 becomes derivation power on (A3697) operational used in the TLS protocol HMAC-SHA-1 HMAC-SHA- KAT CAST Module MAC Test runs at (A3698) 1 becomes power on operational AES-CBC 128-bits key KAT CAST Module Encryption/ Test runs at (A3697) becomes decryption power on operational ESV - Startup test RCT CAST Module is SP 800-90B Performed Repetition with 1024 operational Heath test upon startup Count Test samples; (Startup) Cutoff value = 90 ESV - Cutoff value RCT CAST Module is SP 800-90B Continuous Repetition = 90 operational Heath test test Count Test performed (Continuous) for Entropy Source while the module is operating ESV - Startup test APT CAST Module is SP 800-90B Performed Adaptive with 1024 operational Heath test upon startup Proportional samples; Test Cutoff value (Startup) = 459 ESV - Cutoff value APT CAST Module is SP 800-90B Performed Adaptive = 459 operational Heath test upon startup Proportional © 2025 F5, Inc.

Page 80

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type Test (Continuous) Table 22: Conditional Self-Tests The non-physical entropy source performs the SP 800-90B health test (APT and RCT) classified as CAST:

10.3 Periodic Self-Test Information

Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- Message SW/FW Integrity Determined by Module is

384 (A3698) Authentication the operator powered-off and

on HMAC-SHA2- Message SW/FW Integrity Determined by Module is

384 (A3697) Authentication the operator powered-off and

on Table 23: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method Counter DRBG KAT CAST On Demand Manually (A3697) AES-CBC KAT CAST On Demand Manually (A3698) AES-GCM KAT CAST On Demand Manually (A3698) RSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A3698) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3698) RSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A3697) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A3698) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A3698) © 2025 F5, Inc.

Page 81

Algorithm or Test Method Test Type Period Periodic Test Method KAS-ECC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A3698) HMAC-SHA-1 KAT CAST On Demand Manually (A3697) HMAC-SHA2- KAT CAST On Demand Manually

256 (A3698)

TLS v1.2 KDF KAT CAST On Demand Manually RFC7627 (A3698) KDF SSH KAT CAST On Demand Manually (A3697) HMAC-SHA2- KAT CAST On Demand Manually

384 (A3697)

AES-GCM KAT CAST On Demand Manually (A3697) RSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A3697) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3697) KAS-ECC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A3697) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3698) Safe Primes Key PCT PCT On Demand Manually Generation (A3698) KAS-FFC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A3698) HMAC-SHA2- KAT CAST On Demand Manually

384 (A3698)

Safe Primes Key PCT PCT On Demand Manually Generation (A3697) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A3697) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A3697) © 2025 F5, Inc.

Page 82

Algorithm or Test Method Test Type Period Periodic Test Method ECDSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3697) KAS-FFC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A3697) HMAC-SHA2- KAT CAST On Demand Manually

256 (A3697)

TLS v1.2 KDF KAT CAST On Demand Manually RFC7627 (A3697) HMAC-SHA-1 KAT CAST On Demand Manually (A3698) AES-CBC KAT CAST On Demand Manually (A3697) ESV - Repetition RCT CAST Prior to entropy Automatically Count Test generation (Startup) ESV - Repetition RCT CAST Prior to entropy Automatically Count Test generation (Continuous) ESV - Adaptive APT CAST Prior to entropy Automatically Proportional generation Test (Startup) ESV - Adaptive APT CAST Prior to entropy Automatically Proportional generation Test (Continuous) Table 24: Conditional Periodic Information

10.4 Error States

Name Description Conditions Recovery Indicator Method Halt Module is no Integrity test The module For Integrity test failure, Error longer operational. failure must be re- CASTs and health tests The data output is Failure of any of loaded the module will not load. inhibited. the CASTs For PCTs failure the Failure of any of module transitions to the PCTs error state. Failure of the APT, RCT at restart (poweron) Health Module is no Failure of the The module The module reboot in a Test longer operational. APT, RCT at must be re- loop Error runtime loaded © 2025 F5, Inc.

Page 83

Name Description Conditions Recovery Indicator Method The data output is inhibited. Table 25: Error States The module must reboot to re-loaded with a fresh image to clear the error condition.

10.5 Operator Initiation of Self-Tests

On demand and periodic self-tests are performed by powering off the module and powering it on again. This service performs the same cryptographic algorithm tests executed during pre-operational self-tests and CASTs. During the execution of the periodic and on-demand self-tests, crypto services are not available and no data output or input is possible. © 2025 F5, Inc.

Page 84
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

Startup Procedures: The module is distributed as a part of a BIG-IP product which includes the hardware and an installed copy of firmware with version 17.1.0.1. The hardware devices are shipped directly from the hardware manufacturer/authorized subcontractor via trusted carrier and tracked by that carrier. The hardware is shipped in a sealed box that includes a packing slip with a list of components inside, and with labels outside printed with the product nomenclature, sales order number, and product serial number. Upon receipt of the hardware, the customer is required to perform the following verifications:

Page 85

License Confirmation: The FIPS validated module activation requires installation of the license referred as ‘FIPS license’. The Crypto Officer should call the show license service (with command "tmsh show sys license"), then verify that the list of license flags includes "FIPS 140-3”. Additional Guidance: The Crypto Officer should verify that the following specific configuration rules are followed in order to operate the module in the FIPS validated configuration.

11.2 Administrator Guidance

The Crypto Officer should confirm that version and license are provided according to the documentation in section 11.1. The Crypto Officer should follow the additional guidance in section 11.1 to operate the module in the approved validated configuration. The ESV Public Use Document (PUD) reference for non-physical entropy source is as follows: https://csrc.nist.gov/projects/cryptographic-module-validation-program/entropyvalidations/certificate/74

11.3 Non-Administrator Guidance
11.4 Design and Rules
11.5 End of Life

Secure sanitization of the module consists of using the secure erase service that will perform single pass zero write erasing the disk contents. The service can only be triggered by the administrator during reboot of the device. © 2025 F5, Inc.

Page 86
12 Mitigation of Other Attacks

The module does not implement security mechanisms to mitigate other attacks. © 2025 F5, Inc.

Page 87

Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter Mode DES Data Encryption Standard DF Derivation Function DSA Digital Signature Algorithm DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography ESV Entropy Source Validation FFC Finite Field Cryptography FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode HMAC Hash Message Authentication Code KAS Key Agreement Schema KAT Known Answer Test KW AES Key Wrap MAC Message Authentication Code NDF No Derivation Function NIST National Institute of Science and Technology OFB Output Feedback PAA Processor Algorithm Acceleration PCT Pairwise Consistency Test PR Prediction Resistance PSS Probabilistic Signature Scheme RNG Random Number Generator RSA Rivest, Shamir, Adleman SHA Secure Hash Algorithm SHS Secure Hash Standard SSH Secure Shell TDES Triple-DES XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2025 F5, Inc.

Page 88

Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips140-3-ig-announcements FIPS180-4 Secure Hash Standard (SHS) August 2015 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS186-5 Digital Signature Standard (DSS) February 2023 https://doi.org/10.6028/NIST.FIPS.186-5 FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 http://www.ietf.org/rfc/rfc3394.txt RFC5649 Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm September 2009 http://www.ietf.org/rfc/rfc5649.txt SP 800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf © 2025 F5, Inc.

Page 89

SP 800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP 800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038c.pdf SP 800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP 800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP 800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP 800-38G NIST Special Publication 800-38G - Recommendation for Block Cipher Modes of Operation: Methods for Format - Preserving Encryption March 2016 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf SP 800-56Ar3 NIST Special Publication 800-56A Revision 3 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://doi.org/10.6028/NIST.SP.800-56Ar3 SP 800-56Cr2 Recommendation for Key Derivation through Extraction-thenExpansion August 2020 https://doi.org/10.6028/NIST.SP.800-56Cr2 SP 800-57 NIST Special Publication 800-57 Part 1 Revision 4 Recommendation for Key Management Part 1: General January 2016 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80057pt1r4.pdf SP 800-67 NIST Special Publication 800-67 Revision 1 - Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher January 2012 http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf © 2025 F5, Inc.

Page 90

SP 800-90Ar1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 http://dx.doi.org/10.6028/NIST.SP.800-90Ar1 SP 800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://doi.org/10.6028/NIST.SP.800-90B SP 800-131r2 Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://doi.org/10.6028/NIST.SP.800-131Ar2 SP 800-132 NIST Special Publication 800-132 - Recommendation for PasswordBased Key Derivation - Part 1: Storage Applications December 2010 http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf SP 800-133r2 NIST Special Publication 800-133 - Recommendation for Cryptographic Key Generation June 2020 https://doi.org/10.6028/NIST.SP.800-133r2 SP 800-135r1 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800135r1.pdf SP 800- NIST Special Publication 800-140B - CMVP Security Policy 140Br1 Requirements Novembre 2023 https://doi.org/10.6028/NIST.SP.800-140Br1 © 2025 F5, Inc.